Event Type Operational Risk Reference Taxonomy

Taxonomy - November 2019

A strategic priority for the operational risk community

Over the past 15 years, the operational risks facing financial services have changed significantly. Risks like cyber, third party and conduct have become a top priority and are taking center stage in boardroom discussions.

This changing risk profile, combined with a recent shift of focus away from capital measurement towards risk management, means that many organisations are updating their operational risk taxonomies. In doing so, they are deviating from the Basel Event Types and in the absence of a common standard, we have observed a great deal of divergence.

So, in 2018 we began our work to create an updated reference taxonomy for operational risk. In 2019 we worked with Oliver Wyman to develop the Event Type Taxonomy for operational and non-financial risk. The following year, we published the Cause and Impact Taxonomy. Together, these two resources make up the ORX Reference Operational Risk Taxonomy.

In line with our mission to improve operational risk management throughout the financial sector, we've made summaries of both taxonomies freely available. We've also created guidance that you can purchase to help you use the taxonomy to its fullest advantage.

Based on insights and data from the financial industry

“Our strategic priority was to create a common point of reference for operational risk taxonomies, laying the foundations which allow industry debate and consistent industry sharing of insights and data going forward."

Simon Wills, Executive Director, ORX

The Event Type Taxonomy is based on data and inputs from our member firms, meaning that it reflects industry practice and direction of travel.

Using information from 60 member firms who shared their taxonomies, our new reference taxonomy updates the level 1 risks proposed in our previous version and digs deeper into level 2 risks. The data we collected came from a wide range of financial institutions, allowing us to create a taxonomy that can be used by banks and insurers, no matter their size, around the world.

Empowering you to manage the operational risks of the current landscape

The taxonomy can be used as a key reference to benchmark against and observe industry trends. We haven’t created the taxonomy as a standard specifically intended to be adopted wholesale.

Instead, you can use our taxonomy to help develop your organisational taxonomies and provide industry evidence to support change.

Feedback from a recent survey of our members indicated that the ORX Reference Operational Risk Taxonomy is being adopted or considered a standard across the financial industry. Our members say it saves them time and money in implementing their own taxonomies, and is valuable tool for industry benchmarking.

Top-level observations from the data

While reviewing the submitted taxonomies, we noticed four key themes from across the data:

1. An increase in level 1 size and use of risk "themes"
2. The use of different "dimensions" to define level 2 risks
3. Causes and/or control failures were often included
4. There was clear divergence of practice between the taxonomies

To help you get the most from our updated reference taxonomy, we’ve also created guidance and supporting documentation. The guidance gives you an overview of the taxonomy and provides detailed information about each level 1 risk.

This includes definitions and examples of level 2 risks and deep dives into areas commonly debated in the industry – for example, conduct and third party. 

The guidance is free for ORX members and available for non-members to purchase alongside the complete ORX Operational Risk Reference Taxonomy.

New guidance added in 2023

In 2022, we ran a survey with our members to see how they're using the taxonomy and identify where we could provide further support to our community. Based on this survey, we've republished the Event Type Taxonomy with additional guidance on:

• Third party/vendor fraud
• Rogue trading
• Climate risk
• Transformation risk
• Strategic Risk
• Resilience theme
• Artificial Intelligence and Machine Learning
• Control failures and boundary risks
• Use in conjunction with the Cause and Impact Taxonomy

Disclaimer: ORX has prepared this resource with care and attention. ORX does not accept responsibility for any errors or omissions. ORX does not warrant the accuracy of the advice, statement or recommendations in this resource. ORX shall not be liable for any loss, expense, damage or claim arising from this resource. The content of this resource does not itself constitute a contractual agreement, and ORX accepts no obligation associated with this resource except as expressly agreed in writing. ©ORX 2024

Contacts: